EPIC released its Privacy Report Card for the Obama Administration at a
briefing held at the National Press Club. EPIC scored the
Administration
with an "Incomplete" for Consumer Privacy, A- for Medical Privacy, C+
for Civil Liberties, and a B for Cyber Security.

EPIC's grades were based on a review of the Administration's privacy
initiatives. EPIC cited the vacancies on the Federal Trade Commission,
the continuation of the Bush Administration's policies on the use of the
"state's secrets privilege," the Department of Homeland
Security's
support for PASS ID, and privacy exemptions for social networking
services as areas where the Administration has failed
to protect
privacy.

EPIC recognized the early work of the Administration to bring greater
transparency and openness to the work of the Federal government.
They
also sited the very strong privacy language for medical health records
that is included in the Economic Stimulus Law. However,
a number of
programs began under the previous Administration have not been
challenged or cancelled by the Obama Administration. These
programs
include the use of National Security Letters, expanding fusion centers,
and adoption of 0whole body imaging technology.

A panel of privacy experts offered their own perspective on how the
Administration is doing on several key issues including: No-Fly
list,
border searches of digital devices, state preemption, and behavioral
marketing.

The scores given by EPIC did not reflect the public's participation in
the online scorecard. The public's privacy report card for
the
Administration was "F" in all categories.

On September 4, 2009, EPIC filed papers in federal district court on the
proposed settlement between Google, authors, and publishers.
The Google
Books Settlement would create a single digital library, operated by
Google, but currently fails to limit Google's use
of the personal
information collected. EPIC stated that the settlement "mandates the
collection of the most intimate personal information,
threatens
well-established standards that safeguard intellectual freedom, and
imperils longstanding Constitutional rights, including
the right to read
anonymously." EPIC further warned that the Google Books deal "threatens
to eviscerate state library privacy laws
that safeguard library patrons
in the United States." EPIC has previously participated as a "friend of
the court" in many cases involving
privacy issues. The Court denied EPIC
Intervenor status, but invited EPIC to advocate for readers' privacy as
an Objector to the
proposed agreement.

The Google Books project began in 2004 as an online research tool and
database that permitted access the full or partial text of millions
of
books. Google entered into agreements with several libraries to digitize
books, including books protected by U.S. Copyright law,
in those
libraries' collections. In 2005, the Authors Guild and several
publishers sued Google. The rightsholders alleged that the
project's
digitization process infringed their copyrights. In response, Google
argued that its digitization of the books is permitted
under U.S.
Copyright law. In 2008, the parties negotiated a proposed settlement.
The federal court for the Southern District of New
York must analyze the
settlement's fairness, and approve or reject the terms. EPIC told the
Court that "the proposed settlement profoundly
implicates the privacy
interests of millions of Internet users, ... yet none of the parties to
the agreement represents these interests."

Days before EPIC's filing, Federal Trade Commission Chairman John
Liebowitz issued a statement, calling attention to privacy concerns
and
the vast amount of consumer information that could be collected. The
Chairman expressed the Commission's commitment to evaluating
the privacy
issues presented by Google Books, a sentiment that was echoed by
Commissioner Pamela Jones Harbour in her statement.
In a separate
letter, FTC Consumer Protection Director David C. Vladeck urged Google
to address consumer privacy concerns and to
limit the secondary use of
user data.

In July, the Department of Justice announced an investigation into
Google's proposed settlement with book publishers and authors.
The
Department "determined that the issues raised by the settlement warrant
further inquiry," and noted that commentators have "expressed
concern
that aspects of the settlement agreement may violate the Sherman
[anti-trust] Act." The announcement followed the European Commission's
notice of a similar investigation. The European Commission
met on
September 7, 2009 to examine the proposed settlement.

EPIC has a long history of opposing actions that consolidate data
concerning users' online habits. On April 20, 2007, EPIC and other
privacy groups filed a complaint with the Federal Trade Commission,
requesting that the agency open an investigation into the proposed
Google/Doubleclick merger. EPIC identified specific privacy threats
arising from the heightened ability of the merged company to
record,
analyze, track, and profile Internet users' activities. The Department
of Justice later scuttled Google's proposed deal with
Yahoo based on
similar privacy concerns. The Department's probe focused on Google's
growing power in advertising.

On August 25, 2009, the Department of Homeland Security (DHS) released a
Privacy Impact Assessment for searching electronic devices
possessed by
travelers at U.S. borders, determining that it maintains the right to
search and seize all data on electronic devices
carried across the
border. Currently the U.S. Customs and Border Protection (CBP) and the
U.S. Immigration and Customs Enforcement
(ICE) have broad powers to
search travelers, including United States citizens, who cross the U.S.
border. The 51-page study was designed
to determine how searches of the
contents of electronic devices compared to physical searches of
travelers' belongings.

When it comes to searching physical possessions, CBP and ICE are
authorized to conduct warrantless searches and investigations of
travelers to determine whether they are carrying contraband or entering
the country illegally. These searches are authorized even
in the absence
of any reasonable suspicion. The new Assessment clarifies the
government's belief that this authorization extends
not just to physical
possessions, like briefcases and backpacks, but also to the data stored
on electronic devices. The Assessment
acknowledges that the privacy
implications of searching electronic devices are broader than those of
searching physical possessions,
in large part because of the large
amounts of data that may be stored on travelers laptops, PDAs, cell
phones, and other devices,
as well as the potentially sensitive nature
of the information. The study goes on to discuss the various methods by
which the two
agencies may look at travelers' data: examination with the
traveler present, "detention," of a device which may last for up to five
days, seizure of a device with probable cause, and retention of data
copies.

The Assessment identifies six privacy risks associated with these
activities: "(1) travelers may need additional information regarding
the authority to conduct border searches; (2) the traveler may be
unaware of the viewing or detention of his/her information by CBP
and
ICE; (3) personally identifiable information may be detained where
it is not needed; (4) PII may be misused by CBP and ICE officers;
(5)
CBP and ICE may disclose PII to other agencies that may misuse or
mishandle it; and (6) new privacy risks may arise as the technology
involved in this activity is ever-changing."

The study determines that the first risk is not a problem in the face of
"overwhelming precedent." But the agency came to this conclusion
- that
there is no risk - because it is treating precedent referring to
physical searches as if it automatically applies to electronic
searches.

According to the assessment, the only way for the agency to address the
last risk factor is for it to conduct ongoing scrutiny, and
the study
calls for regular reassessment.

The rest of the Assessment attempts to identify possible ways to
mitigate the second through fifth. DHS identifies various ways to
improve transparency, individual participation, purpose specification
with accompanying use limitations, minimization procedures,
data
integrity, security, and accountability, for both CBP and ICE. The
primary change now being implemented is to clarify signage
at ICE and
CBP search points to inform travelers that their electronic devices are
subject to search and copy. However, the overall
effect of the
Assessment is a reiteration of the DHS position that all electronic
border searches are legal even without reasonable
suspicion.

While they purport to conform to the standards set in the Privacy Act of
1974, these policies fail to conform to the intent of the
Act by
continuing to allow broad access to all of travelers' data without any
reasonable suspicion. The policies also allow the agencies
to share
this information with third parties if they need those third parties'
assistance with accessing or translating the data,
a practice which puts
travelers at increased risk of identity theft.

On September 4, 2009, the White House announced a new policy to release
the records of White House visitors, an initiative that is
intended to
promote open government. In a released statement, President Obama
described the initiative:

"For the first time in history, records of White House visitors
will be made available to the public on an ongoing basis.
We will
achieve our goal of making this administration the most open and
transparent administration in history not only
by opening the doors
of the White House to more Americans, but by shining a light on the
business conducted inside it. Americans
have a right to know whose
voices are being heard in the policymaking process."

Under the policy, the White House will release information on all
individuals who come to the White House for an appointment, a tour,
or
to conduct official business, with certain exceptions for confidential
or particularly sensitive meetings. For example, the White
House will
not release access records that implicate national security or records
from meetings with prospective Supreme Court nominees.
It will also
withhold the records from purely personal guests of the first or second
families.

The White House also promised not to release visitors' personal
information or information that implicates law enforcement concerns.
The
personal information that the policy will protect includes such data as
dates of birth, social security numbers, and contact
phone numbers. Law
enforcement concerns will prevent the White House from releasing records
that may implicate the personal safety
of the staff of the Executive
Office of the President, such as their daily arrivals and departures.

EPIC has spoken with White House representatives and informed them of
the possible privacy risks of this new policy. The policy would
disclose the names of tourists and other visitors who are not meeting
with government officials. This information is not necessary
to promote
the open government objectives set forth in this policy and could create
unnecessary privacy risks, which should be considered
by the White
House.

In a related matter, EPIC recently filed a request to the Department of
Homeland Security under the Freedom of Information Act, seeking
information regarding meetings between the Department of Homeland
Security (DHS) Chief Privacy Officer, Mary Ellen Callahan,
and third
parties. In the spirit of the new policy announced by the White House,
that information should be available to the public.
However, DHS'
response to the request was heavily redacted, obscuring much of the
information that, by analogy, would be available
under the White House
policy. EPIC is appealing the redactions and seeking more complete
records.

This week, Rep. Rick Boucher (D-Va.), chairman of the House
Communications, Technology and the Internet Subcommittee, announced that
he is drafting a bill that would impose strict rules on websites and
advertisers regarding the use of consumer information. This
important
legislation comes at a time when online behavioral marketing techniques
are being scrutinized for the unauthorized use
of consumer data. One of
these techniques involves deep-packet inspection, which enables Internet
Service Providers to intercept
virtually all of their customers'
Internet activity, including web surfing data, email, and peer-to-peer
downloads.

Boucher's goal in drafting the web-privacy bill is "to ensure that
consumers know what information is being collected about them on
the Web
and how it is being used, and to give them control over that
information." Boucher, who is working with Reps. Cliff Stearns
(R-Fla.)
and Bobby Rush (D-Ill.) on the bill, attempts to strike a balance
between the interests of privacy watchdogs and of websites
and
advertisers in assessing the default standard for websites to monitor
and gather consumer data. The bill would impose different
standards on
websites for different types of consumer data. Websites that collect
information for targeted advertising should allow
consumers the
opportunity to opt out of having their online activity tracked.
Further, websites would be obligated to offer a detailed
description of
how the information is collected, disclosed, and used. On the other
hand, websites collecting sensitive personal information,
including
medical or financial data or other personally-identifiable information,
would be required to have users opt in before tracking
their interests.

This bill follows several pieces of significant online privacy
legislation, such as the Children's Online Privacy Protection Act,
but
is the first to regulate online advertising. While many privacy
watchdogs welcome the bill, others, such as Adonis Hoffman, Senior
Vice
President and Counsel of the American Association of Advertising
Agencies, do not believe that legislation is necessary because
the
Federal Trade Commission (FTC) already calls for self-regulation in the
area of online advertising, which Hoffman says "the industry
is taking
quite seriously." FTC Commissioner Jon Leibowitz, however, warns that
the "[i]ndustry needs to do a better job of meaningful,
rigorous
self-regulation, or it will certainly invite legislation by Congress and
a more regulatory approach by our commission."

As of September 1, 2009, The Federal Trade Commission has prohibited
commercial telemarketing calls to consumers. The agency amended
the
Telemarketing Sales Rule, which was authorized under is the
Telemarketing and Consumer Fraud and Abuse Prevention Act. The Rule,
which imposes a penalty of $16,000 per call, has been expanded to cover
sellers and telemarketers who transmit prerecorded messages
to consumers
who have not agreed in writing to accept such messages. The new rule
does not prohibit informational messages or calls
by politicians, banks,
telephone carriers, and charities. EPIC has urged the Federal
Communications Commission to require strong
privacy safeguards for
telephone customers' personal information, and protect wireless
subscribers from telemarketing. For more information,
see EPIC
Telemarketing and Telephone Consumer Protection Act.

The Canadian Privacy Commissioner issued a report last month raising
concerns over Facebook business practices. The Office asked the
social
networking firm to cease the sharing of user information with
application developers, clarify the policy on deactivation and
deletion
of accounts, protect the personal information of non-users, and
"memorialize" the account of deceased users. In complying
with the
Commissioner's report, Facebook will include new notifications, update
its Privacy Policy, and implement technical changes
to enable more user
control over information accessed by third-party applications. Facebook
also faces a lawsuit by five users filed
in California's Orange County
Superior Court, alleging that Facebook violated several California
privacy laws. EPIC had previously
raised similar concerns about the use
of Facebook data by application developers.

At the Gov 2.0 Conference in Washington, D.C. this week, the Obama
Administration announced that the public websites for certain government
agencies would begin participating in a pilot program using the OpenID
and Information Card joint authentication systems. The agencies
include
the Center for Information Technology, National Institutes of
Health, U.S. Department of Health and Human Services, and
related
agencies." The system should allow for citizens to use services
on those websites by logging in with accounts that they may already
have
from other OpenID participating web sites, including Yahoo, PayPal,
Google, and America Online, among several others. According
to the
providers'
press release, the system will allow users to choose a qualifying
identity provider that will supply authentication
credentials on their
behalf. Depending on settings and requirements, theoretically this will
allow for users to participate with
varying levels of anonymity or
identification.

On September 9, 2009, the Senate Judiciary Committee conducted a hearing
regarding the reliability of forensic techniques. According
to a
congressionally-mandated report by the National Research Council, there
are "serious deficiencies in the nation's forensic science
system," and
"major reforms and new research" are needed. In 2008, EPIC submitted an
amicus brief to the Supreme Court in Herring
v. United States in which
EPIC explained how government databases are becoming increasingly
unreliable and urged the Court to "ensure
an accuracy obligation on law
enforcement agents who rely on criminal justice information systems."
EPIC's brief was cited by Justice
Ginsburg, writing for four Justices in
dissent.

Starting Tuesday, September 8, 2009, all federal government contractors
must verify their employees' eligibility to work in the United
States
using E-Verify, an electronic security system implemented by the
Department of Homeland Security and the Social Security Administration.
Employers will continue collecting employee information from an I-9
form, including two forms of identification, but are now required
to run
this information against the E-Verify system, which is linked to the DHS
and Social Security Administration databases. If
there is an
inconsistency between the employee's information and the E-Verify
system, the employee has eight working days to challenge
it. The program
has been challenged several times, including once by the US Chamber of
Commerce, and come under scrutiny because
of the likelihood of
inaccuracies in the databases and the system's failure to identify those
employees who are illegally using others'
valid names and numbers.

The 2009 Secrecy Report Card, from Openthegovernment.org, chronicles
slight decreases in government secrecy during the last year
of the
Bush-Cheney Administration. The report, released by a coalition of more
than 70 open government advocates, also provides
an overview of the
Obama Administration's proposed transparency policies. Among the issues
discussed are the Open Government Directive,
Classified Information, the
Freedom of Information Act memo, signing statements, and the
state secrets, doctrine.

Cass Sunstein's book explores one of the little known or discussed
bold proposals of President Franklin D. Roosevelt: a second
bill of
rights. In policy and politics few ideas are new, but often take
time to find fertile ground for growth.

The notion that Americans needed a second bill of rights grew from
the deprivation caused by the Great Depression and the
resulting
existential struggle of democracy against fascism. It is easy to
forget how close this world came to losing democracy.
It would have
died under the heel of fascism if the United States had not the
capacity or will to fight. People - not only
in Europe, but also in
the United States - desperately wanted leaders who would bring an
end to their suffering caused by
the global depression. As a result,
Churchill, Roosevelt, Stalin, Hitler, and Mussolini emerged as
leaders. Hitler and Mussolini,
as fascists, appeared to be bringing
an end to high unemployment and want, which made many in the United
States desire that
same system of government for themselves: to be
free from fear of starvation, want, and a lack of basic needs was an
irresistible
force. What was not understood very well in the
beginning was how Fascism was able to accomplish so much in such a
very short
period of time. By abolishing the judicial and
legislative branches of government the executive branches in those
nations
became all powerful. Their goal was not about providing for
the needs of all, but to motivating their people through fear. The
government's use of aggression in the form of political, social, and
economic sanctions against citizens who were deemed
undesirable,
seemed rationale the majority of people living in those nations.
Once basic liberties and freedoms had been
suppressed the fascist
regimes turned their aggression outward.

The Second World War became the ultimate test of democracy. If
democracy was to survive, it not only had to win a global war,
but
it also had to secure itself and future generations from the
temptation to pursue forms of government or policies that
would
corrupt its foundational principles of life, liberty, and the
pursuit of happiness. In the depths of the depression
and the rise
of the Fascist state, in June and July of 1940, President Roosevelt
proposed a declaration of human rights for
the US. He proposed the
protection of the government should extend to "certain freedoms:"
freedom of information, freedom
of religious liberty, freedom of
expression, freedom from fear, and freedom from want. His
definition of what it required
is still part of today's dialogue on
human rights. These principles are included in the constitutions of
major governments
that emerged following World War II, and the
Universal Declaration of Human Rights ratified by most of the
nations of the
earth including the United States, and is agreed to
by most members of the United Nations.

The relevance Roosevelt's proposed new Bill of Rights, as reiterated
in the book by Cass Sunstein, are the enumeration of
basic
necessities of American political and economic life: equal
opportunity, employment, security, end of special privilege,
civil
liberties, and scientific progress toward higher standards of
living. These have been the over arching issues in our
post 9/11
world. We have seen a single definition of security that allowed
special privilege for some (those who could afford
a Registered
Travel ID), the undermined of civil liberties (warrantless wiretap
surveillance of telephone calls, national
ID, and secret government
watchlist programs), that suppressed freedom of information (secrecy
in all actions of government,
no bid contracting, rules of secrecy
expanded to include legal memorandum that purportedly rationalized
government action)
and that hindered scientific progress (increased
travel restrictions making it difficult for scientific conferences
to be
held in the US, coupled with arrest and prosecution of
researchers attending conferences in the US under the Digital
Millennium
Copyright Act meant that many of the important
discussions in a wide range scientific and engineering innovation
did not
happen in this country).

As the nation contends with one of the issues that Roosevelt
promoted as an important freedom under his proposed new bill
of
rights, that is, access to adequate and affordable health care, it
is important to note that 60 years after his proposal
this nation
still has not exhausted the wealth of wisdom shown by one of the
world's greatest leaders. The look back offered
by this book is of
value especially for the reminder that desperate people may be
tempted to do desperate things, but it
takes leadership to stay the
course and serve as the morale compass for our nation.

Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access laws.
This updated version includes new material regarding the substantial
FOIA amendments enacted on December 31, 2007. Many of the recent
amendments are effective as of December 31, 2008. The standard reference
work includes in-depth analysis of litigation under Freedom
of
Information Act, Privacy Act, Federal Advisory Committee Act, Government
in the Sunshine Act. The fully updated 2008 volume is the 24th edition
of
the manual that lawyers, journalists and researchers have relied on
for more than 25 years.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
foundation
for an exciting course in this rapidly evolving area of law.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in
over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
WSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
Price:
$40.

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for
students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It
includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the
Video Voyeurism Prevention Act, and the
CAN-SPAM Act.

Pan-European Dialogue on Internet Governance (EuroDIG), Geneva,
Switzerland, September 14-15, 2009. For more information:
http://www.eurodig.org/ "Practical Approaches to Privacy in Health
Reform," Deven McGraw of the Center for Democracy and Technology,
Seventeenth National
HIPAA Summit in Washington, DC, September 16, 2009.
For more information: http://www.cdt.org

Start a discussion on privacy. Let us know your thoughts. Stay up to
date with EPIC's events. Support EPIC.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or
share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do
not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription
information."

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus
public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical
record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.
Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute
online at:

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation
of encryption and
expanding wiretapping powers.